Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230621-en -
resource tags
-
submitted
29/06/2023, 22:45
General
-
Target
Jsreceipt0193617_PDF.html
-
Size
103B
-
MD5
c349aed7796c6cf3784b423f7a348429
-
SHA1
1f9f048f524a83ad569e0df65b709bc1de4f344f
-
SHA256
07176693f0658bb82e3408ef1e85a545b039acf315749ce888dfce55252696cc
-
SHA512
f505e8dfd29079f11b817204334e65a6c307e6bed8d5a04a7a95fef32bf4031040ef7830b7f039f596c904a489de2887d0903016204e1e78b9715126ccb1e455
Malware Config
Extracted
vjw0rm
http://jsnew9400.duckdns.org:9400
Signatures
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 51 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Jsreceipt0193617_PDF.html1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Jsreceipt0193617_pdf.zip\Jsreceipt0193617_pdf.js"1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD54b958c078984d97dc80efb7b9c9db5d9
SHA1e36452e7ea54d63035d7a8d81d13ea506fc8357f
SHA2560b69c52b5e2faba2e0b7d6e67a7693e333d0aea0dbb80cb95764fd50b9a0e799
SHA51275fbbc35d97c0d0513324ee27395c74d70e2b2a3dcdd0c03e4014b0b0307c9e7742c49a165677cee79563f4efbe56c94bbaea2c7867d3401cbe1fabab7df9c91
-
Filesize
404B
MD5cbc113b9420f3adf1dfff952ce89268a
SHA1e73e42c10cdfc0ca97f293e6da8382ccec5d8b95
SHA25607c6a299470f1359e6f5fc545955328a938c69e06580ba3a3079b7faf509cf3f
SHA512316517d3ea3c246421c3aaacef1da66d943598452fcc3f9b00609c182bd63f0351cb03ee1eafecfbf2dd25a18442b1105a754ec55f566fe65ccbc14d62df33b2
-
Filesize
300KB
MD5b3f848fe0250349da6b62939ac0b848e
SHA19b15a7ca6b7832c48f028de394bfd0c796bc560a
SHA256a174433a80690c315a52012c68ca86c3b03683ff6fd8420a261146d747ba93fb
SHA512c5e46ca54d198a6287769078130b266d21c72efb7a1ca8c9d69ed1be8613619c6e5cc1436665151b1ad86a5533bbd7546060728de4393b783066302cc41717cd
-
Filesize
300KB
MD5b3f848fe0250349da6b62939ac0b848e
SHA19b15a7ca6b7832c48f028de394bfd0c796bc560a
SHA256a174433a80690c315a52012c68ca86c3b03683ff6fd8420a261146d747ba93fb
SHA512c5e46ca54d198a6287769078130b266d21c72efb7a1ca8c9d69ed1be8613619c6e5cc1436665151b1ad86a5533bbd7546060728de4393b783066302cc41717cd
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
608B
MD5720e72acd6b76dc2351d02f51109e637
SHA1ced7e01ff20d7d3a523854a7dff71f2d33f9d0f1
SHA25631e48c1b155330b170d99cf5d083a3cde07bf473f125be651a38cf218107ac1b
SHA5123c9b44cb521eeb4ab96111200d9be6398ce9b31ce1f29838bef9fe7bba71df0b2c16419e412bd9f9e3c2f7ecc7e118f0791d3f03c640c70e8aed9424580c96d5
-
Filesize
609B
MD593516833b3cbaab82e8ff82b3d6e2be9
SHA1cdcdd6355b5b981c0f81db38b62e68bbd59c5a7c
SHA2565d1898aab83d148a1ae580939920e4c63c47a28e8bf91fb6acbdfc4e8e2928b2
SHA51210d976c732773234d585bd3cc67f0d4ddbb4a019d3aa486bffc50d186c0543992e906a6681b5f881918d6beead16b94cedae44714ac8c8fe08bdd2d65daa05fa